Zoom plugs security holes with new release
Written by Martyn Landi Thu 23 Apr 2020
The video conferencing app has been criticised for security and privacy issues in its software as user numbers rapidly increase during lockdown
Zoom says it has reached a “key milestone” in its promise to make the video conferencing app more secure, announcing the upcoming launch of a new version of the software.
The company confirmed Zoom 5.0 would be available this week after questions were raised about the platform’s safety settings.
Zoom revealed the new version of the app includes an upgraded encryption standard, a new, clearer security icon to access the safety settings, a tool to report users and new password controls.
The app was also criticised after it emerged some meeting data could have been routed through servers in China, so the ability for users to control which data centres their meetings data is routed through has now also been added.
A number of the features had been previously confirmed by the company after it pledged at the beginning of April to stop all product development to focus on improving security features.
That came after the app was criticised for a number of security and privacy issues, including strangers forcing their way into meetings, a practice which has become known as ‘zoombombing’.
Zoom apologised and said it would fix any issues flagged to it, accepting it had to do more to protect users.
The company has seen its user base grow exponentially since the coronavirus lockdown began – jumping from around 10 million to over 200 million as people attempted to work and study from home as well as stay in touch with friends and family.
Several online safety agencies have now issued guides on how to use the platform, such has been the rapid rise of Zoom’s popularity.
Just the beginning
Zoom chief executive Eric Yuan said of the latest update: “I am proud to reach this step in our 90-day plan, but this is just the beginning. We built our business by delivering happiness to our customers.
“We will earn our customers’ trust and deliver them happiness with our unwavering focus on providing the most secure platform.”
The video app was also criticised earlier this month after it emerged the platform was not using end-to-end encryption for all meetings, despite suggesting it was on its website.
As part of the Zoom 5.0 update, the company said it had upgraded its encryption to better protect meeting data and offer more resistance against tampering.
“We take a holistic view of our users’ privacy and our platform’s security,” Zoom chief product officer Oded Gal said.
“From our network to our feature set to our user experience, everything is being put through rigorous scrutiny.
“On the back end, AES 256-bit GCM encryption will raise the bar for securing our users’ data in transit.
“On the front end, I’m most excited about the security icon in the meeting menu bar. This takes our security features, existing and new, and puts them front and centre for our meeting hosts.
“With millions of new users, this will make sure they have instant access to important security controls in their meetings.”
Cyber security expert Jonathan Knudsen, senior security strategist at Synopsys, said that although Zoom’s update still did not offer full end-to-end encryption as defined by industry experts, security within the app had undoubtedly improved.
“In Zoom 5.0, the encryption algorithm has been strengthened, but this still does not change the fundamental architecture of Zoom, which does not fully implement end-to-end encryption,” he said.
“At the same time, given the recent intense scrutiny of Zoom’s infrastructure, the new changes in version 5.0 represent a renewed commitment to helping users safeguard confidentiality.
“For many of us, the risk of an adversary powerful enough to compromise Zoom’s infrastructure and intercept meeting content is low.
“For the most part, you can configure a reasonable degree of confidentiality by using a meeting password, monitoring participants, locking meetings after they start, and managing recordings carefully.”
Among the other new features confirmed in the update is a waiting room feature being on by default – meaning all meeting participants are kept in individual virtual waiting rooms until they are admitted to the meeting.
This feature, in particular, is seen as a key tool in stopping Zoombombing.
Elsewhere, needing a password to join a meeting is now on by default, as is needing a password to access meeting recordings.
It is also now possible for meeting hosts to report a user in a meeting, as well as disable their ability to rename themselves.
Zoom’s announcement comes as MPs made history in the House of Commons by holding the first virtual Prime Minister’s Questions, with questions coming in from some MPs via Zoom.
Written by Martyn Landi Thu 23 Apr 2020
Cloud Thu 23 Apr 2020Zoom used by UK Cabinet ministers despite MoD ban over ...
Cloud Thu 23 Apr 2020Zoom users can now opt out of data routing through China
Cloud Thu 23 Apr 2020Hackers are spoofing Zoom domains to target remote workers